How to securely run curl with No password exposure on cmd lines for CTM API login

Version 1
    Share This:

    Hi ALL


    Most of times when running CTM API for /session/login with curl at command lines or as part of shell scripting we are always exposing usernames and passwords.


    Services - Documentation for Control-M Automation API 9.0.19 - BMC Documentation


    This relevant security issue is related with the way we approach the curl options usage for execution on scripts and command lines.


    The solution is very simple:

    A ) curl can run with a config file, and this way it will not be necessary to have a huge command line

    B ) CTM API username and password can be edited to a text file ctmapi_credentials_file.json

    C ) the @ctmapi_credentials_file.json can now be set up as the POST data "-d"  curl option.


    Once executing curl with -K curl_config_file.txt credentials are now hidden from scripts and cmd lines execution and not anymore exposed as can be seen on the screen sample below.



    Please find below the detailed solution:


    Create File: ctmapi_credentials_file.json



    Create File: curl_config_file.txt


    -H "Content-Type: application/json"

    -X POST

    -d @ctmapi_credentials_file.json

    --url = "https://<add you ctm api host here>:8443/automation-api/session/login"



    Execute Command line:

    curl -K curl_config_file.txt


    Command line result:




    Sample script for CTMAPI curl with no password exposure on CMD Line:

    With the sample script below script, the curl_config_file.txt is created as part of the script execution:



    ctmapi_endpoint=https:/<add you ctm api host here>:8443/automation-api




    #Create  curl_config_file

    echo "-k" > $curl_config_file

    echo "-H \"Content-Type:  application/json\"">> $curl_config_file

    echo "-X POST"  >> $curl_config_file

    echo "-d @ctmapi_credentials_file.json" >> $curl_config_file

    echo "--url = \"$ctmapi_endpoint/session/login\"" >> $curl_config_file

    echo "--anyauth" >> $curl_config_file


    # Get Login token

    login_token=$(curl -K $curl_config_file "$ctmapi_endpoint/session/login" )

    token=`echo "$login_token" | awk -F"\"token\":\"" '{print $2}'| cut -d '"' -f 1 `

    echo "$token"




    I Hope you like it and be helpful for reuse.


    My Best Regards


    Adriano Gomes